Kerberized authorization service
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Jan 29 09:14:41 EST 2008
>Recently, I had a couple of my student employees work up a
>proof-of-concept using SAML (with a kerb auth as part of the payload)
>as the protocol -- since SAML seems like a more likely future direction
>for a standardized auth protocol than something I threw together one
>night in 1990 :)
I am not that sure, actually. Every time I look at SAML, I re-remember
my biggest issue with it - the spec is frickin' huge (379 pages for all
of the documents for SAML 2.0). Also, it's rather "webby" ... I mean,
the protocol is based on HTTP? You need an XML library? And it seems
that you probably need SOAP in there as well. Every example I've seen
of it clearly is web-oriented. I guess I see the advantage to using
it when you have an already-bloated web server, but cramming all of
that into sshd? Ugh.
Okay, you'll bring up points about code reuse, complying with a
standard, having someone else design the protocol, etc etc ... yeah, I
don't disagree with you on all that. But it just seems like a whole
mess of baggage you're getting when a home-grown protocol will be
simpler to understand, easier to maintain, and overall less work.
--Ken
More information about the Kerberos
mailing list